• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

Risk Analysis

 What is a generic risk tool for business ? And how can some one design it for a business ? and is there any formula , equation or way of solving it ?
2 Solutions
> What is a generic risk tool for business ?

Lies between your ears

> And how can some one design it for a business ?

You get to remember --- and, to take it with you (even upon corporate bankruptcy)

> and is there any formula , equation or way of solving it ?

Solving what? Risk? Risky business?

You probably want something like modeling, or focus on special ops like:


Unless you want the old stuff, or the definitions from Detroit)

Companies hire lawyers.

To make safety device, what is cost?
To lose lawsuits, what is cost?

Math is normally simple add/subtract oversimplification. And risk, all too often, is small bullet on business agenda getting little attention if any (businessmen 'assume' they will get another job before the sh@t hits the fan concerning behavior on their current one)

But my hats off to you, for trying, risk analysis is a very very important piece of work for any business with long term objectives.
Also: think of Murphy's law:

If it can go wrong: it will,
And it is likely to fail when you can least afford it

Thus: Contingency Planning
(see also: backup)
First write up some Requirements

Then, the most generic handler I've found is called brain-storming. Collect a handful of reasonably knowledgeable people, an expert is ok, then just make up stuff, even silly (get loose, sillier is better) and have one member nominated to write it up on board for all to see. Nominate person a neat title, like "facilitator", keep 'em happy (to write, cheer, cajole, entice). After an hour or so, with board full of 'what could go wrong', take quick break, come back and have people talk about what was written up, circle the more reasonable ones, and make some sense of it that can be placed into list of probabilities, priorities, and type of risk. Use low/high for simplicity.

Equations are more applicable to repetitions for prior work.

One method I don't like, is dumping off quality control to consumer market. This includes MTBF for HW such as disk drives, which really sounds like a match for formula, but in practice is termed inefficient for business purposes (marketing, time to market).
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Where formula are used, it becomes developing a method for reducing costs to two items:

Cost if event occurs (risk)
Cost to avoid the event

Then compare
Today's focus: Web-enabled risk analysis

By M.E. Kabay

My good friend and colleague Robert Jacobson recently released his time-tested Cost-of-Risk Analysis tool in a Web-based format. CORA-Web prioritizes the risk exposures of a facility and identifies the most cost-effective mitigation strategy to make best use of available resources.

In the process, it builds a solid business case for risk management recommendations. CORA-Web fully supports the Business Impact Analysis process defined in the draft NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems":

A recent Deloitte & Touche study of e-businesses disclosed that no respondents were using risk analysis tools to guide risk management decisions: http://www.isaca.org/ecomm.htm

"This is easy to understand," said William Murray, senior
researcher on the study, "because until recently there have
been no efficient, realistic tools. On the other hand, these
are decisions where the use of intuition can result in very
expensive error. An efficient tool can easily cover its own

"I have found CORA and its predecessor IST products to be
powerful analytical tools for understanding security issues and
managing risks," said Lynn McNulty, head of security
consultants McNulty and Associates and former associate
director for computer security at the National Institute of
Standards and Technology.

While serving as director of information systems security for
the Federal Aviation Administration, McNulty used these tools
to analyze an air route traffic control center.  "This was the
first quantitative risk analysis of an ARTCC," he said. "CORA
makes it easy for an enterprise to quantify and manage all of
its risks, and CORA-Web will make it easy for a team to
collaborate on a project."

According to Jacobson, open-ended questionnaires have
limitations that are overcome by CORA-Web's quantitative model
of risk, which focuses attention on the specific details of the
risk environment needed to make prudent management decisions.
Each user defines exactly which risk factors to include in a
risk analysis, and employs the results to evaluate the
cost/performance of a full range of risk mitigation, risk
transfer, and risk recovery measures.

The application service provider Dynamic Access Systems is
hosting CORA-Web. CEO Alan Duncan said, "As an ASP, we put
great emphasis on risk management to ensure that we achieve the
service levels that our clients expect of us. CORA makes it
easy to analyze our risks, particularly threats that can cause
service interruptions, and to choose the optimum risk
mitigation strategies. The CORA analysis of the DynAccSys ASP
systems has made a very strong contribution to our marketing
and sales promotion."

For more information about CORA and CORA-Web, see Jacobson's
Web site at: http://www.ist-usa.com/

* * *

Disclaimer:  I have no financial interest whatever in CORA or
in International Security Technology, Inc. Because I have not
yet evaluated the software, this column should not be construed
as an endorsement.

To contact M. E. Kabay:

M. E. Kabay, PhD, CISSP is Associate Professor in the
Department of Computer Information Systems at Norwich
University in Northfield, Vt. Mich can be reached by e-mail at
mailto:mkabay@compuserve.com  He invites inquiries about his
information security and operations management courses and
consulting services. For papers and course materials on
information technology, security and management, visit his Web
site at http://www2.norwich.edu/mkabay/index.htm
http://www.ist-usa.com/aboutcoraweb.htm :

The CORA-Webä "Sixty-Day Solution"

What do you need to do?

Go beyond a simplistic Business Impact Analysis to a full quantitative evaluation of measures to reduce e-business service interruptions, and generate an ROI analysis of each possible strategy.
Build a solid business case for a specific business continuity measure, e.g. remote data copy, on-site diesel generator set, redundant electric service, etc.
Make a credible budget line item for risk losses!
Quantify risk exposures and generate a Frequency-Consequence Plot automatically.
Evaluate the ROI of insurance policies.
Determine the optimum business recovery strategy and Recovery Time Objective (RTO).  
Select from several alternative security solutions.
Identify risk exposures that can safely be ignored.
Help is at hand.  CORA-Webä is a powerful risk management decision support system that can resolve risk management requirements like these examples.
Risk analysis for any business involves freezing some parameters, ignoring others, and not even knowing about the most important ones, which probably do not exist at the time the analysis is done.

I had some experience with exponential smoothing and realized it was being pushed in a market forecasting area where it did not fit, because actual quantities were far below those assumed in the development of exponential smoothing theory.  An "old timer" could do better with his traditional "seat of the pants" method.

In another instance I was asked to review equations developed by the operations research staff.  Several pages into the analysis I found significant mathematical errors.

At a seminar where that operations research team went up against the marketing manager, it was brought out that he, consistently, did as well, again with "seat of the pants" methods, as the highly trained operations research people  did with their fancy mathematics.

"Experience is the best teacher".

Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts Split between SunBow and FlamingSword.
Please leave any comments here within the next seven days.


EE Page Editor
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now